Join our webinar on democratizing data in the cloud with Forrester, Snowflake and TIAA - Sign up hereStart Now
Published on October 4, 2021 AUTHOR - Privacy Research Team
Companies are producing and processing data in massive volumes. This data is then scattered across a multitude of environments, such as on-premise infrastructure, SaaS applications, or across multi-cloud IaaS platforms. Apart from a company’s regulated environment on-premises, a significant part of data also exists across unregistered devices such as smartphones, emails, etc. This ultimately results in data sprawl, which in turn leads to a lack of visibility into personal information (PI) as well as sensitive data.
When companies deal with PI and sensitive data, such as customers’ financial information, it requires optimal protection against cyber security threats as well as strict compliance with privacy laws and industry standards, such as Payment Card Industry Data Security Standard (PCI DSS). Weak data protection strategies may lead to security breaches, which could be very harmful to the customers - leading to ID thefts, increased risk of fraud, and even harm to the reputation of the enterprises.
In some cases, customers may even sue an organization for its security failures and this could lead to massive financial damage and loss of consumer trust. In the case of payment processing services, a company might even lose important channels of business altogether. For example, not being able to protect cardholders’ data as per the PCI DSS standard may lead to prohibitions from processing further payments through credit and debit cards.
While most data privacy protection laws provide coverage for a broad range of personal data attributes, the PCI DSS governs only payment card processing-related attributes, mandating them to ensure the security of stored sensitive data resulting from payment card transactions.
When companies process payment card transactions, two types of sensitive data are generated: authentication data and non-authentication data. The authentication data is prohibited to be stored, as per PCI DSS regulations, and needs to be erased from every storage system immediately. This type of data includes Card Verification Value (CVV), Primary Account Number (PAN), and Personal Identification Number (PIN).
The non-authentication data includes the cardholder’s name, card expiration date, and service code. PCI DSS regulations allow the storage and processing of non-authentication data as long as it is protected and the organization’s information security standards in relation to this data comply with its policies.
PCI DSS mandates all sellers or payment card processing services ensure the safe and secure collection, transmission, and processing of cardholders’ data. PCI DSS has laid down 12 requirements, which are grouped under 6 goals. Every payment card processing service must comply with the defined security requirements:
PCI DSS regulations require that the sensitive data of a cardholder which is collected, stored, and processed by the organization during and after a transaction, must be protected at all times. In order for organizations to comply with PCI DSS regulations, they must meet the established data security requirements, as discussed above.
In summary, the security requirements boil down to the following:
Assurance of these security requirements is only possible when the merchant or the service provider knows where cardholder data resides in its systems, and this is especially a problem due to data sprawl. For example, when data is accessed or used by multiple processes, it tends to spread to other systems. Apart from residing in the data assets in a known environment, a cardholder’s data may make its way to other devices inadvertently, such as a smartphone, personal laptop, or a BYOD machine due to the aforementioned data sprawl. Such data sprawl or leak is possible due to the cross-platform auto-synchronization.
Therefore, to ‘discover’ in which data systems customers’ cardholder data is stored, organizations must devise a method to scan data within their data systems to determine which of them falls within the definition of cardholder data or not and which of them is more sensitive than the other.
This is where PCI DSS card data discovery comes into play.
Data discovery starts with the identification of data assets across the network. It creates visibility into data assets by first gathering and building a catalog of all cloud-native and non-native data assets that could be across SaaS applications, IaaS data stores across multiple cloud providers, or on-premises. Effective data discovery systems allow identification of critical information, such as cardholder’s name, card expiration date, and other details in structured forms (tables and columns) or unstructured forms (spreadsheets, emails, etc).
Once the data assets are mapped and cataloged, the next step is to discover and classify the data within assets or object stores. Data classification helps categorize data as per its sensitivity or security risk. As a result, teams can determine the types of security measures that need to be implemented.
It’s only after an effective data discovery mechanism that the organization can assess the security posture of that database and the vulnerabilities that it may have. This provides a reliable basis for which the organization can implement security measures and other risk mitigations to ensure it remains protected.
Before starting the PCI DSS card data discovery process, it is vital to define the scope of cardholder data (CHD) discovery and classification. Seller and service providers can attempt to define an accurate scope by taking into account the following important considerations:
Sellers and service providers should use the right data discovery tool that can integrate natively with their card data environment and the cloud data assets. The tool should also offer a deep discovery feature that can scan and discover different personal and sensitive data attributes, use Machine Learning, AI, and contextual analysis to reduce false positives, identify security and privacy metadata within the data, and classify the risk posed by the data.
All in all, the data discovery tool should give detailed insights into the data type, its sensitivity level, security posture, and compliance.
Securiti offers an AI-powered robotic data discovery tool, built to scan data in structured and unstructured systems across an organization’s dynamic environment. Along with sensitive data intelligence and Personal Information auto-linking, Securiti’s data discovery tool discovers Personal Information within structured or unstructured databases, identifies the type of data, appends its security, and privacy metadata, scores it according to the risk it poses, and auto-links it to the data subject’s ID. Thus, with our Data Discovery tool, organizations can:
See our Demo to watch our Data Discovery solution in action.
See how easy it is to manage privacy compliance with robotic automation.